Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). ID uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to assess the security of a computer system or network.
Intrusion detection functions include:
Monitoring and analyzing both user and system activities,
Analyzing system configurations and vulnerabilities,
Assessing system and file integrity,
Ability to recognize patterns typical of attacks,
Analysis of abnormal activity patterns, and
Tracking user policy violations.
An IDS system is configured to generate an alarm, when an event, which is considered to be malicious, is detected. In order to decrease the amount of false positives in the event detection, correlation of the events may be taken into account. That is, also the context in which an event is detected may have an effect on whether the event is classified suspicious or not.
U.S. Patent Application 2002/0078381, “Method and System for Managing Computer Security Information”, presents one solution for realtime event sequence detection. Therein, a fusion engine “fuses” event information from multiple data sources and analyzes this information in order to detect relationships between the events that may indicate malicious behavior. According to the method presented, event data are classified into different event type categories and a ranking is assigned to each event. Then relationships between events are identified and on the basis of the relationships a mature correlation event, indicating that malicious behavior has been detected, is generated. Nevertheless, the document does not teach a specific technique for identifying the relationships nor does it provide effective way to implement event sequence detection.